thanks for all your support every1. I did alot of reasearch on my own, but when you hit that wall you need some help. And yall have done just that, thanks again every1. love the forum : ]

Exactly my point earlier...the concepts behind hashes should be easy to get from Google...pretty standard info. I usually don't like the 'give me the answer' people, but prefer the 'help me get the answer, I'm working on it but I'm stuck' people. I always strive to be that kind of a person when seeking help.

LosT

Take a look at rainbowcrack, it uses rainbow tables to bruteforce hashes.
http://www.antsight.com/zsl/rainbowcrack/

3 Curious humans waiting to asked questions of the Great Oracle of Delphi, and each can learn from the those who preceed them.

Oracle: I AM THE GREAT ORACLE OF DELPHI! I KNOW EVERYTHING YOU NEED TO KNOW! ASK ME A QUESTION!
Curious Human 1: Could ask any question on any topic?
Oracle: YES.
Curious Human 1: Oh! What are the lottery numbers tomorrow?
Oracle: YOU ASKED YOUR QUESTION. NEXT!

Oracle: I AM THE GREAT ORACLE OF DELPHI! I KNOW EVERYTHING YOU NEED TO KNOW! ASK ME A QUESTION!
Curious Human 2: What will the score of the game tomorrow be, before it starts?
Oracle: ZERO TO ZERO! NEXT!

Oracle: I AM THE GREAT ORACLE OF DELPHI! I KNOW EVERYTHING YOU NEED TO KNOW! ASK ME A QUESTION!
Curious Human 3: How can I know as much as you, Great Oracle?
Oracle: YOU DON'T NEED TO KNOW THAT!

I've grown to like:
"(s)he who knows not, and knows not how to research is ingnorant and deserves to be ignored."

It's like telling people to 'google it' and having them reply with, "google did not help," or, "google did not return anything." When you verify that google does help, you know they are unwilling or unable to research.

Same thing goes for me, specially when its analogy time :)
It is true that reading maketh a full man.
...reminds me of the men of four.

"He who knows not and knows not that he knows not is a fool; shun him.
He who knows not and knows that he knows not is a child; teach him.
He who knows but knows not that he knows is asleep; wake him.
He who knows and knows that he knows is wise; follow him."

BK

Personally I have never had a problem with "simple one way hashes" because had it not been for this discussion I probably would have never given them a second thought. As far as being confusing, many things about computers are confusing to me, usually however, after logical discussion they seem to be more clear. I understand more about hashes now than if I had never read this thread. I am quite sure that given time and solid information I would understand RSA as well as anyone. Life is a learning experience, show me a man who claims to know everthing there is to know and I'll show you a damned liar.

Hehhee, true, but if they are having problems with something like simple one way hashes, then RSA would be totally confusing...I cross what? Where? Huh? ;)

LosT

Bah! RSA is the easy one (especially for mathmagicians). I could explain it to someone in less than an hour.

Proving it, though...

You think that is bad, lets really start confusing people and explaining the RSA algs for encryption... ;)

LosT

wow...thanks for the reply's all. Thats exactly what I was needing.....thanks a bunch every1.

Each program tends to use its own little tricks and algorithms, so the hashes tend to be different.

Note that if the hashing technique is the same, obtaining the hash may be as good as obtaining the password. Some applications go out of their way to avoid this problem by adding, for example, the application name or the name of the authenticating server. This is merely a more advanced technique of salting (also called nonce depending on the context).

In the real world, people tend to use the same password for multiple accounts. Although the database is specific to one application, cracking that application yields access to the other accounts.

Though more like a flat-file with special searching and indexing in memory than a DB, it has "kind of" been done with alphanumeric passwords even though L0pht had similar ideas in their presentation for future releases.
Similar techniques were used in the "Early days" when trying to break WEP before flaws in the original protocol were exposed.

Since Proofs Of Concept have been made available, the act of using a larger dictionary is only limited by resources available. Also, this problem lends itself very well to using distributed computing in an attack and can scale very well.

Your target is someone with lots of memory and disk space, or a farm of systems they can (ab)use with a total of free-space and RAM that is large and some coding or DB skills.

Would the hash for "bannana" remain the same whether it was, say for instance, an AOL password or an MSN password or would each create it's own hash? If the hash changed from one to the other then the theory of hashing a dictionary + 2 wouldn't hold water would it? I mean the English language contains some 68,000 +/- words and a hash system would contain an infinite number of combinations...not being a smart ass, just thinking out loud.

SQL may be overkill but it will be faster with a big dictionary of course. So, who'se up to it?

Or maybe a SQL DB optimized for searching? Only need one table with two fields (hash / plain-text) and a query for each hash lookup. DB abstraction and overhead allows for distribution too. Ordered lists in RAM would be faster, but RAM is more expensive than Secondary Storage (HD/CD/DVD/etc)

I AM CORNHOLIO! Are you threatening me? heh heh. :-)

[Maybe I should start war-sleeping. heh heh hrm. yeah!]